Drift Detection with AWS CloudFormation

December 13, 2018

A primary reason for building continuous delivery pipelines is to decrease the time it takes to get new software into the hands of users. The reason to design these pipelines is to identify the manual steps involved with your existing processes and substituting them with automation. The end result is an automated system that performs all the tasks needed to take the software through build, test and lastly deployment.

Infrastructure as a code, IaaS has revolutionized how we manage infrastructure in cloud. AWS CloudFormation has played a primary role in this process. As AWS Premier Consulting Partners, at Royal Cyber we have many customers using AWS CloudFormation to deploy their infrastructure. Yet, the benefits of AWS CloudFormation are not just about deploying, as it is instrumental in maintaining and providing future upgrades to their infrastructure.

Amazon Introduces CloudFormation Drift Detection

Drift detection is one of the features that have been absent for years from the CloudFormation toolset. Preferably, we should always use CloudFormation to publish our infrastructure changes. However, frequently we tend to change our infrastructure outside of CloudFormation which drifts the configuration of our infrastructure from what is defined in CloudFormation. From time to time we need a summary of what has drifted so we can think about what are the next steps.

For instance, in order to dynamically enable/disable an endpoint, we might have placed a lambda function to tweak the priority of a load balancer rule, which could result in a drift. Therefore, we should focus on other drifts that were created during ad-hoc operations, like a change in the maximum size of an auto scaling group introduced during traffic peaks.

CloudFormation allows you to declare the proposed state of your infrastructure in YAML or JSON file called CloudFormation Template. We can then use the template to create or update a CloudFormation Stack which manages the creation/updation/deletion of your infrastructure Resources.

If you are not familiar with it already, CloudFormation is a free service from AWS that lets you describe your infrastructure through a YAML or JSON file and then deploy the configuration. Simply define your desired state and CloudFormation will deploy the resources and arrange them so that dependent services are deployed in the correct order. If you are aware about tools like Ansible, Chef, or Puppet, this model should not be new.

Drift Detection to Meet the Agile Needs of Business

Drift detection is a potent tool that supports the adoption of continuous delivery pipelines and automation. It has a mechanism to identify and protect against manual changes that may occur outside of the pipeline that may compromise the reliability of the automation. By including drift detection to the pipeline we will know that our deployments will have predictable results.

Crack it with Royal Cyber

This has been a common feature request among many of our customers that seek to ensure their deployments are configured as expected. With this feature you can see that the CloudFormation console has been changed manually. For more information about this new feather in AWS cap and how it can help your organization, email us at info@royalcyber.com or visit www.royalcyber.com.